Many software publishers digitally “sign” files or applications created or published by the publisher in order to demonstrate the authenticity of such files and applications. For example, a software publisher may encrypt the hash of a file using a public-key cryptographic system in order to demonstrate that the file has been signed by an authoritative party. Valid digital signatures give recipients reason to believe that a digitally signed file was both created by a known sender and has not been altered since leaving the sender's possession.
Computer security software currently typically treat files that have been digitally signed as trusted, allowing such files to be executed or otherwise accessed without first performing an independent evaluation of the trustworthiness of such files (by, e.g., scanning such files for malware, etc.). Unfortunately, digital signing schemes may be compromised in a variety of ways, including by physically obtaining the private key used by an entity to digitally sign a file and/or by tricking an entity into signing a file using various social-engineering attack vectors. In fact, in recent years, at least one security-software publisher has identified a rise in files that have been digitally signed that contain malware, adware, spyware, grayware, or the like.
As such, the instant disclosure identifies a need for improved methods and systems for detecting, blocking, and/or removing malicious and/or untrustworthy files, even if such files have been digitally signed.